registry  /  verben-workflow-ui  /  0.5.79

verben-workflow-ui@0.5.79

This library was generated with [Angular CLI](https://github.com/angular/angular-cli) version 18.2.0.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

At application runtime, the exported HTTP client can attach an embedded fallback JWT to workflow API requests. No install-time execution or confirmed exfiltration path is established.

Static reason
One or more suspicious static signals were detected.
Trigger
A consuming application invokes `HttpWebRequestService` without configuring `environment.Token`.
Impact
May expose or unintentionally use a packaged credential against the configured workflow API.
Mechanism
Runtime HTTP requests include a hard-coded fallback Authorization token.
Rationale
The embedded fallback credential is a real security risk, but the inspected source is an Angular UI client whose network behavior is consumer-invoked and configured by the host application. It is suspicious rather than demonstrably malicious.
Evidence
package.jsonfesm2022/verben-workflow-ui-src-lib-services.mjsesm2022/src/lib/services/http-web-request.service.mjs

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `fesm2022/verben-workflow-ui-src-lib-services.mjs` embeds a JWT as the fallback `Authorization` value.
  • The token is automatically attached when consumers call the exported HTTP request service without an environment token.
Evidence against
  • `package.json` has no lifecycle scripts or executable bin entrypoints.
  • Requests use a consumer-supplied `environment.WorkFlowAPI`; no fixed external host is embedded.
  • No inspected source showed filesystem access, shell execution, dynamic code loading, credential harvesting, or persistence.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 319 file(s), 4.96 MB of source, external domains: example.com, www.w3.org

Source & flagged code

3 flagged · loading source
fesm2022/verben-workflow-ui-src-lib-services.mjsView file
52patternName = supabase_service_key severity = critical line = 52 matchedText = Authoriz...9g',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52
52patternName = supabase_service_key severity = critical line = 52 matchedText = Authoriz...9g',
Critical
Secret Pattern

Supabase service role key (JWT) in fesm2022/verben-workflow-ui-src-lib-services.mjs

fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52
esm2022/src/lib/services/http-web-request.service.mjsView file
26patternName = supabase_service_key severity = critical line = 26 matchedText = Authoriz...9g',
Critical
Secret Pattern

Supabase service role key (JWT) in esm2022/src/lib/services/http-web-request.service.mjs

esm2022/src/lib/services/http-web-request.service.mjsView on unpkg · L26

Findings

3 Critical3 Low
CriticalCritical Secretfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternesm2022/src/lib/services/http-web-request.service.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License